By Karla Grossenbacher, Partner, Seyfarth Shaw LLP
It is no secret that data breaches, and lawsuits over data breaches, are on the rise. Almost every day, we wake to news of another high profile data breach and another high profile lawsuit, usually a class action, resulting from the breach. Every company that maintains personally identifiable information ("PII") needs a data breach response plan. (And if your company has one employee and provides that employee with wages or benefits, you are likely maintaining some PII about the employee.) Below are the top ten action items for you to take in the wake of a data breach that will help protect your company in the event litigation ensues.
1. Identify A Data Breach Response Team
The first thing you need to do after a data breach occurs is identify the team that will lead the charge in investigating and remediating the breach. The team will ideally include people with different areas of subject matter expertise including: (1) one or more persons from your information technology department; (2) your chief privacy officer if you have one; (3) your head of security; (4) a human resources representative, (5) the leader of the business unit affected by the breach; and (6) a member of your internal audit or compliance team; and (7) a public relations specialist. Some members of the data breach response team may not be internal to your organization.
2. Lay The Foundation For Privilege
Before the team begins its investigation, steps must be taken to establish that the results of the investigation will be considered attorney work product and communications made by team members about the investigation will be protected by the attorney-client privilege. Outside or in-house legal counsel should draft a memorandum stating that the data breach response team is being been convened at the direction of counsel in order to collect the information for the purpose obtaining legal advice concerning the breach and in anticipation of litigation.
3. Verify the Data Breach
The first task of the data breach response team is to verify that a data breach occurred and whether it is the type of breach that could trigger a data breach notification statute. Although each law differs, generally speaking, state data breach notification statutes are triggered by a breach of unencrypted, computerized PII that presents a risk of harm to the person(s) whose PII was compromised.
4. Conduct An Investigation
The principle focus of the investigation conducted by the data breach response team is to collect data about the breach. Your IT personnel, or an outside forensic consultant, will play a key role in this. The team should collect information regarding how and when the breach was discovered, what type of breach occurred, how it occurred, the duration of the breach, what information was put at risk and the identity of the individuals affected by the breach.
5. Assess Risk
Once you have the basic facts about the breach, you need to assess the legal risk. You should determine what data breach notification laws apply to the information that has been compromised. This is typically a function of the state of residency of the individual(s) whose PII has been put at risk. You should also check to see if your company has insurance that would arguably cover any losses resulting from the data breach, and if so, notify the carrier. If your company retained a third party vendor to maintain the PII that was compromised, review the contract and look at what provisions apply in the event of a breach, especially any clauses concerning indemnification. If the breach was caused by employee error or malfeasance, determine what if any disciplinary action will be taken. Lastly, you should assess the claims that could be asserted against the company as a result of the breach and determine how to best position the company for defense of the litigation.
6. Develop A Notification Plan
If notification regarding the breach is required by statute, then you need to ensure that notice is made in a timely and legally compliant manner. First, consider whether, based on the size of breach, you are going to handle the notification internally or retain a vendor to handle notification. Second, determine whether or not you meet any of the statutory thresholds for substitute notice under the applicable breach notification statutes. Once you have determined the method of notice, you need to draft your template notice (or notices if multiple statutes with different content requirements are in play) and make a list of the individuals and/or entities to whom notice must be sent. To keep yourself organized, and more importantly to demonstrate compliance, you should maintain a list of the individuals to whom notice has been sent, when each notice was sent and to what address.
7. Develop A Communication Plan
The communication plan is separate from the data breach notification plan. The notification plan is more the realm of the lawyers; the communication plan is more the realm of public relations. You should think about both internal communications (with employees, board of directors, business partners, etc.) and external communications (with affected individuals, the media, law enforcement). External and internal communications about a data breach should be similar because in this day and age one can expect that any communications made regarding the breach internally can and will be sent outside the organization.
8. Decide Whether You Will Offer Remediation Services To Affected Individuals
Except in California and Connecticut, offering remediation services to affected individuals is optional. (Both California and Connecticut require the provision of credit monitoring services to those affected by a covered data breach). Even if not required by law, offering remediation services can go a long way towards generating consumer goodwill in the wake of a breach. It can also affect outcomes in litigation by reducing potential damages in the event of litigation or positively influencing the jury's perception of the company experiencing the breach. Some typical remediation services are credit monitoring, identity theft insurance, reimbursement for credit freezing services and providing those affected with identity theft informational packets.
9. Taking A Step Back
After investigating and remediating the breach, you should take a step back to analyze the breach itself and the company's response to the breach. Think about what could have been done if anything, to prevent the breach. If systems failed or people made errors, determine how this can be avoided in the future. If applicable, make a plan to provide training to applicable personnel on information security.
10. Have A Written Data Breach Response Plan
Items 1-9 above should all be incorporated into a written data breach response plan. This will be Exhibit A for the company's defense in the event litigation is filed regarding the data breach. The most common claim in data breach litigation is negligence and showing you had a data breach response plan in place and complied with it is an effective way of showing that you acted reasonably in response to the breach.